Network World reports that a recent University of Indiana study found that phishers might be getting takers on as much as 14% of their trick messages, much higher than experts previously reported.

The study simulated phishing attacks on eBay customers as part of research summarized in “eBay, but the researchers were also notified. The researchers say all they received was the login notification, not login information such as a passwords that real phishers aim to steal.

The researchers believe that other research, such as a Gartner report that says about 3% of Americans are successfully targeted, might not take enough into account the number of people who do not admit they were victimized.

“Our goal was to determine the success rates of different types of phishing attacks, not only the types used today, but those that don’t yet occur in the wild, too,” states Markus Jakobsson, associate professor of informatics at Indiana University.

Fraudsters are using keylogging technology and launching phishing scams at a record rate, says a new report from McAfee Inc. The company’s Identity Theft Whitepaper reports a massive increase in the use of keyloggers, malicious programs that track the user’s typing activity to capture passwords and other personal data. Between January 2004 and May 2006, keylogger use increased a whopping 250%. During the same period, the number of phishing alerts tracked by the Anti-Phishing Working Group doubled.

The researcher concluded that identity theft is strongly impacting economies around the world. The Federal Trade Commission estimates that the annual cost for consumers and businesses in the United States is $50 billion a year. “In the United Kingdom, the Home Office has calculated the cost of identity theft to the British economy at $3.2 billion during the last three years, and some estimates from the Australian Centre for Policing Research place the cost of identity theft at $3 billion each year,” according to the report.

The whitepaper provides several recommendations for users, including the following:
• Watch out for phishing and pharming scams;
• Avoid clicking on links in emails to visit Web sites;
• Install comprehensive security software or services;
• Be careful when opening email attachments;
• Use strong passwords; and
• Be careful when using instant messaging

Yesterday, TrustedID announced a new free search service, StolenID Search, that allows consumers to check to see whether their information may have been compromised online. In addition to the free search, the service will also monitor for up to 3 pieces of information for one year for free. You can learn more about the service at our FAQs or follow some of what the press has been saying here: NBC11, CNET, American Public Radio and Wired.

We’ve had lots of questions about who in their right mind would be crazy enough to enter a credit card number or social security number into a service like StolenID Search. It’s a great question. The answer: Our search is anonymous and secure: we never ask you who you are and our site is built using the highest levels of security available on the Internet. Your credit card number or social security number alone has little value. It’s when these numbers become associated with a name, an address, a date of birth, a expiration date, a CVV2 number, etc that things start to get dangerous. We never know any of this information; therefore, searching for a number with StolenID Search cannot harm you, even in the worst case scenario.

People visiting StolenID Search seem to understand this and appreciate the power of finding out if their information is at risk. In the first day of operations, nearly every person who came to the site searched on a number and approximately 2% of those people found out their credit card or social security number was compromised.

John E. Dunn of Techworld.com reports that anti-fraud monitors have discovered a do-it-yourself phishing kit online. This kit aims to make phishing easy for everyone, even the most non-technical of users, to set up and carry out sophisticated phishing attacks on large numbers of websites.

EMC Software’s RSA division found the “universal man-in-the-middle phishing kit” being offered in a free demonstration version on a criminal forum monitored by the company.

The kit advertises a user-friendly interface designed to help the non-technical criminal by automating the programming needed to pull off a normally tricky man-in the middle attack on financial or e-commerce websites. According to RSA, the kit qualifies as ‘universal’ because it can be used on any website, and thus attacks don’t need to be tailored for each site

“As institutions put additional online security measures in place, inevitably the fraudsters are looking at new ways of duping innocent victims and stealing their information and assets,” said Marc Gaffan of RSA.

In 2003, a do-not-call list was created, allowing Americans to opt out of receiving direct marketing calls. According to Damon Darlin of the New York Times, people are registering in droves. The Federal Trade Commission, which administers the list, says that more than 137 million phone numbers have signed up for the list.

The popularity of the do-not-call list has created a demand for opt-out lists. Americans can now opt out of the standard practice of their banks or loan companies selling their information to others. They can also stop credit card companies from soliciting them and stop marketers from sending them junk mail and catalogs.

These opt-outs primarily exist to make life less annoying for consumers. However, they also help protect personal information that can be misused by identity thieves or shady merchants.
Darlin provides a list of opt-out options, including the following:

1. PHONE SOLICITATIONS: To stop them, go to donotcall.gov. Or call toll free, (888) 382-1222, from the number you are going to restrict.

2. JUNK MAIL: You can try to opt out of direct mail solicitations, but it will probably not work very well. A private organization, the Direct Marketing Association, handles that list and not every merchant with pages of hot leads is a rule-abiding member.

3. CREDIT CARD OFFERS Almost as annoying as the direct marketing call is the mailbox stuffed with credit card solicitations. The more you ignore their offers, the more you will receive. The major credit bureaus, like Experian, Equifax and TransUnion, that collect information on your borrowing habits let you opt out of what they call prescreened offers of credit at https://www.optoutprescreen.com. You can do it for a period of five years or permanently.

4. CREDIT FREEZE: The ultimate opt-out for your credit is a credit freeze. You’ll sometimes hear it recommended as a way to protect yourself from fraud because once you sign up to have your credit report frozen, no company can get access to your credit report without your expressed permission. That means no one can open up a credit card or take out a loan in your name.